Encrypting Passwords for Java External Adapters

Use an independent keystore to encrypt passwords in external adapter configuration files, and to tell the Server to decrypt the encrypted value at runtime.

Prerequisites
Set the ESP_HOME environment variable. Event Stream Processor supports Java Runtime Environment 1.6.0.22 or later.
Task

Java external adapter configuration files contain an encryption algorithm that the Server uses to authorize decryption.

  1. Use any text editor to open the desired external adapter configuration file.
  2. Call the encrypt.sh script:
    $JAVA_HOME/bin/java -cp jar/adapterapi.jar:jar/commons-codec-1.3.jar com.sybase.esp.adapter.api.CryptUtils encrypt <password> <alias/user> RSA <keystorepath>/keystore.jks <keystorepassword>
    1. Copy the password string from the external adapter configuration file and paste it in the position of the <password> variable in the encrypt.sh script.
    2. Replace the <alias/user> variable with the store key-alias (user name).
    3. Provide the name of the authentication method the external adapter is using. The default is RSA.
    4. Replace the <keystorepath> variable with the filepath to the keystore.jks file.
    5. Replace the <keystorepassword> variable with the keystore password.
    6. Run the script.
      The action produces a string of encrypted text that contains your hidden password:
      ilNkDIv7MK99CvRHkVmDunuAvErHEyNdGZ+VTe63PBMEbyZ2CfZf6iHhCtDXD6fR9jPYIT/3FcyHmX2VL5xEeDL29KJP4xPS6d9/TUIozJvJb9YhA8yyHUGv9iGUmtJdcN4vvQ1XJPSGHD84vIKSHQOfz8UlZKl07uJl54b47JXi+hIt1X3hZtGAaKuNt9BDo3KIgD4McehJFH2eT0vYmLHjWAL+JoO4V0/+e9ZlgF4hzjpVkYaO5zik7WyWbvVzLcv4sT4A77CGq4/uo+ZsJlGdBQ/qlSXDBUKBacHhmYBV1j5xZgxLPu2feEl1OGP/+27126/Lz0M/JVeShDOw==
      Note: Use the decrypt.sh script to validate encrypted text. To run the decrypt command against the encrypted text, call the decrypt.sh script and provide the same credentials you provided for the encrypt.sh script.
    7. Copy and paste the encrypted text from the script to the text editor containing the configuration file. Replace the original password under the espPassword parameter with the encrypted text, then create and set the encrypted attribute for the parameter to true.
      If set to true, this attribute ensures that the Server recognizes the password as encrypted text and is able to decrypt the password at runtime. If the attribute is set to false, the Server does not recognize the password as encrypted text and, therefore, tries to process the password without decrypting it, resulting in errors.
      <espPassword encrypted="true">ilNkDIv7MK99CvRHkVmDunuAvErHEyNdGZ+VTe63PBMEbyZ2CfZf6iHhCtDXD6fR9jPYIT/3FcyHmX2VL5xEeDL29KJP4xPS6d9/TUIozJvJb9YhA8yyHUGv9iGUmtJdcN4vvQ1XJPSGHD84vIKSHQOfz8UlZKl07uJl54b47JXi+hIt1X3hZtGAaKuNt9BDo3KIgD4McehJFH2eT0vYmLHjWAL+JoO4V0/+e9ZlgF4hzjpVkYaO5zik7WyWbvVzLcv4sT4A77CGq4/uo+ZsJlGdBQ/qlSXDBUKBacHhmYBV1j5xZgxLPu2feEl1OGP/+27126/Lz0M/JVeShDOw==</espPassword>
  3. The external adapter configuration file contains a <espConnection> section that includes the parameters needed to connect to esp_server. Provide values for espHost and espPort, and in the case of a cluster, supply the cluster URI under espConnection. 
    <!-- Event Stream Processor settings -->
 <esp>
   <espConnection>
	<espHost>localhost</espHost>
	<espPort>22000</espPort>
<!--	<espProjectUri>esp://localhost:19011/ws1/p1</espProjectUri> -->
   </espConnection>
  4. The <espSecurity> section contains parameters required to enable authentication for the external adapter, such as user name and password. Specify an authentication type for espAuthType.
    Authentication Type Required Value
    Kerberos user_password
    LDAP user_password
    keystore, keystore password server_rsa
    Native OS (user name/password) user_password

    Example using the Kerberos authentication value:

    <espAuthType>user_password</espAuthType>
  5. Provide values for other required fields, based on the chosen authentication type.

    Regardless of authentication type, if the password is encrypted, you must define values for espRSAKeyStore and espRSAKeyStorePassword.

    <!--	<espRSAKeyFile>/keyfilepath/espuser.private.der</espRSAKeyFile>   -->
	<espRSAKeyStore>/keystore/keystore.jks</espRSAKeyStore>
	<espRSAKeyStorePassword>Sybase123</espRSAKeyStorePassword>
	<espEncryptionAlgorithm>RSA</espEncryptionAlgorithm>
  6. Modify the authentication type specified for espEncryptionAlgorithm as needed. The default value is RSA. Your other option is DSA.
  7. Save the configuration file.
Parent topic: Password Encryption on Configuration Files